Broken authentication was #2 on the 2017 OWASP Top 10 list. In 2021 the Broken Authentication category was renamed Identification and Authentication Failures and now includes Common Weakness Enumerations (CWEs) related to identification failures. Broken authentication is typically caused by poorly implemented authentication and session management functions. Broken authentication attacks aim to take over one or more accounts giving the attacker the same privileges as the attacked user. Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities.
Due to poor design and implementation of identity and access controls, the prevalence of broken authentication is widespread. Common risk factors include:
Broken Authentication attackers have only to gain access to a couple of accounts to compromise an entire system by using tools such as automated password tools and dictionary attacks.